-2

Client has an intranet hosted with Apache on Ubuntu 18.04.

When I update an employees information through it, an email is sent, but it fails showing the following error: SMTP Error: 421 4.7.66 TLS 1.0 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.

(SMTP Error: 421 4.7.66 TLS 1.0 are not supported. Please upgrade/update your client to support TLS 1.2. Visit https://aka.ms/smtp_auth_tls.)

It also shows some CakePHP errors, not sure if they could be related.

This makes me think it does nothing to do with the server since the site is hosted in a Linux machine and I'm being redirected to a Microsoft page, but I could be wrong. Therefore, what does it mean by client? The Windows devices I'm using to access the page should already be configured to be able to use TLS 1.2. Does it mean the Office 365 account that sends the email?

I don't have access to the Office 365 portal so I'd have to contact the client to try out possible solutions if that's the case.

Things I've tried:

  1. Only having TLS 1.2 enabled in inetcpl.cpl in the Windows PC accessing the page.
  2. Defining SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2 in /etc/apache2/mods-enabled/ssl.conf in the server.
Greg Askew
  • 35,880
  • 5
  • 54
  • 82
Nico Nico Pizza
  • 69
  • 1
  • 9
  • 3
    This is your server trying to deliver a mail to a Microsoft server - likely because the recipient is using Microsoft 365 for their mails or Exchange Online. The problem is that the mail client (CakePHP) does not speak TLS 1.2. This has nothing to do with the configuration of the web server you are showing - which is relevant for communication with a web client (browser only). It is a problem of the CakePHP backend/code you use to deliver the mails. – Steffen Ullrich Jun 22 '23 at 08:56
  • @SteffenUllrich I'm gessing this error is now appearing because Office 365 started enforcing TLS 1.2? If so, I can try unchecking the TLS option from the account that sends the emails on the Office 365 panel. – Nico Nico Pizza Jun 27 '23 at 07:30

1 Answers1

2

(this started off as a comment but was getting a bit long)

Why are you talking about upgrading your server? The error message clearly states the issue is with your SMTP CLIENT. The error message you have posted here even tells you that the SMTP client is part of cake. However according to the official documentation ( https://book.cakephp.org/4/en/core-libraries/email.html#configuring-transports ) there is no way to change the TLS version Cake uses.

IMHO this is a significant oversight on the part of the Cake developers and should be reported as a bug, not a feature request.

Note that Cake doesn't actually implement the SSL/TLS encryption - that is handled by OpenSSL - but currently you need to go through Cake to use this.

yourcode -> cake -> openssl -> internet -> SMTP server

Meanwhile, either you need to write your own transport mechanism from scratch, use a different mail sending library or use a SMTP relay.

symcbean
  • 21,009
  • 1
  • 31
  • 52
  • 1
    '" there is no way to change the TLS version Cake uses. .... IMHO this is a significant oversight on the part of the Cake developers and should be reported as a bug, "* - I agree that the code is broken but not in this way. You cannot specify a specific TLS version with the browser either. The way TLS works is to use the best version both client and server support. The problem seems to be instead that CakePHP at least in older versions uses STREAM_CRYPTO_METHOD_TLS_CLIENT which seems to mean TLS 1.0 only :( – Steffen Ullrich Jun 27 '23 at 08:13